Is there an option to completely disable IPV4 outgoing address for Squid

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Is there an option to completely disable IPV4 outgoing address for Squid

Ahmad Alzaeem
Say we want to have Testing IPV4-IPV6 access for An ISP .
We want to access squid over IPV4 ,
DNS server ip on squid is 8.8.8.8

But we want dns queries only solved with IPV6 address so that squid don’t pickup any ipv4 destination for website .

I tried dns_v4_1st directive to be off but I had like 98 % of results with IPV6 but still like 2 % results as IPV4 .
So as an example , if I say Facebook is IPV4/IPV6 .
I was able to get 98 % destination of FB as IPV6 , but very low results on IPV4 ip addresses .

Is there an option for squid to use IPV6 for outgoing and always skip IPV4 of websites resolving address ?


Thanks



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there an option to completely disable IPV4 outgoing address for Squid

Alex Rousskov
On 2/19/20 8:47 AM, Ahmad Alzaeem wrote:

> Is there an option for squid to use IPV6 for outgoing and always skip
> IPV4 of websites resolving address ?

AFAIK, there is no such option. You might be able to fake it by denying
requests on IPv4-destined connections (via Squid ACLs and/or at the OS
level), in hope that requests on those denied connections will be
reforwarded, but I would not recommend this clumsy approach.

However, it is easy to add a DNS forwarder that would immediately
respond to all Squid A queries with an empty set of IPv4 addresses. If
you cannot configure BIND/etc. to do that, then it would only take a few
lines of code to write such a forwarder in Perl/etc. using existing DNS
resolver libraries -- you do not need a generic forwarder; only
something that can handle Squid queries...

What are you going to do with sites that have no IPv6 addresses?

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there an option to completely disable IPV4 outgoing address for Squid

Ahmad Alzaeem
We just need IPV4-IPV6 conversation system to for an ISP that has ran out of ipv4 .
So we need to minimize IPV4 usage with them .


Thanks


> On Feb 19, 2020, at 5:33 PM, Alex Rousskov <[hidden email]> wrote:
>
> On 2/19/20 8:47 AM, Ahmad Alzaeem wrote:
>
>> Is there an option for squid to use IPV6 for outgoing and always skip
>> IPV4 of websites resolving address ?
>
> AFAIK, there is no such option. You might be able to fake it by denying
> requests on IPv4-destined connections (via Squid ACLs and/or at the OS
> level), in hope that requests on those denied connections will be
> reforwarded, but I would not recommend this clumsy approach.
>
> However, it is easy to add a DNS forwarder that would immediately
> respond to all Squid A queries with an empty set of IPv4 addresses. If
> you cannot configure BIND/etc. to do that, then it would only take a few
> lines of code to write such a forwarder in Perl/etc. using existing DNS
> resolver libraries -- you do not need a generic forwarder; only
> something that can handle Squid queries...
>
> What are you going to do with sites that have no IPv6 addresses?
>
> Alex.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there an option to completely disable IPV4 outgoing address for Squid

Amos Jeffries
Administrator
On 20/02/20 3:41 am, Ahmad Alzaeem wrote:
> We just need IPV4-IPV6 conversation system to for an ISP that has ran out of ipv4 .
> So we need to minimize IPV4 usage with them .
>

Stopping Squid from contacting IPv4 servers will not solve that problem
in any significant way.

On the other hand using Squid in its default dual-stack form with one
single IPv4 address. All clients can get full access to the HTTP web by
having them contact Squid over whichever IP version they support and
Squid does the IPv4 server part.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there an option to completely disable IPV4 outgoing address for Squid

Ahmad Alzaeem
Hello Amos ,
You are correct , but are plan is using IPV6 as possible .
As I said the IPV6 of dual stack as like 98 % IPV6 .

My question is how squid or under which circumstances can go to IPV4 as long as IPV6 dual stack exist ? How come it used 98 % for FB  IPV6 destinations as an example and 2 % FB IPV4 destinations .

Is it random process or DNS answers type ?
 Also Have not found squid directives for this area .


Is there an option to tell squid use AAAA DNS reply from DNS for certain websites always or even with certain squid process  ? And others non Dual stack use default case ?

Many Thanks .

> On Feb 20, 2020, at 7:31 AM, Amos Jeffries <[hidden email]> wrote:
>
> On 20/02/20 3:41 am, Ahmad Alzaeem wrote:
>> We just need IPV4-IPV6 conversation system to for an ISP that has ran out of ipv4 .
>> So we need to minimize IPV4 usage with them .
>>
>
> Stopping Squid from contacting IPv4 servers will not solve that problem
> in any significant way.
>
> On the other hand using Squid in its default dual-stack form with one
> single IPv4 address. All clients can get full access to the HTTP web by
> having them contact Squid over whichever IP version they support and
> Squid does the IPv4 server part.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there an option to completely disable IPV4 outgoing address for Squid

Amos Jeffries
Administrator
On 20/02/20 5:43 pm, Ahmad Alzaeem wrote:
> Hello Amos ,
> You are correct , but are plan is using IPV6 as possible .
> As I said the IPV6 of dual stack as like 98 % IPV6 .
>
> My question is how squid or under which circumstances can go to IPV4 as long as IPV6 dual stack exist ? How come it used 98 % for FB  IPV6 destinations as an example and 2 % FB IPV4 destinations .
>


Could be any number of reasons.
 - the IPv6 pipe on your network being full making the IPv4 routes
faster sometimes.
 - other transient routing issues causing connection failures when IPv6
was tried, Squid falling back to IPv4 which worked.
 - DNS resolver failing to supply AAAA fast enough so Squid uses A
result for some connections.

... or a mix of all reasons.


> Is it random process or DNS answers type ?

DNS answers using "Happy Eyeballs" algorithms. With AAAA results
preferred over tried before A results when both are available.


>  Also Have not found squid directives for this area .
>
>
> Is there an option to tell squid use AAAA DNS reply from DNS for certain websites always or even with certain squid process  ? And others non Dual stack use default case ?
>

The BCP specifications require both to be supported with a preference
towards IPv6 whenever possible. That is what Squid does. We only provide
the --disable-ipv6 and dns_v4_first for networks with seriously broken
IPv6 setups, and both already deprecated.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there an option to completely disable IPV4 outgoing address for Squid

Alex Rousskov
On 2/20/20 5:21 AM, Amos Jeffries wrote:
> On 20/02/20 5:43 pm, Ahmad Alzaeem wrote:
>> My question is how squid or under which circumstances can go to
>> IPV4 as long as IPV6 dual stack exist ? How come it used 98 % for
>> FB  IPV6 destinations as an example and 2 % FB IPV4 destinations .

> Could be any number of reasons.
>  - the IPv6 pipe on your network being full making the IPv4 routes
> faster sometimes.
>  - other transient routing issues causing connection failures when IPv6
> was tried, Squid falling back to IPv4 which worked.
>  - DNS resolver failing to supply AAAA fast enough so Squid uses A
> result for some connections.
>
> ... or a mix of all reasons.


>> Is it random process or DNS answers type ?

> DNS answers using "Happy Eyeballs" algorithms. With AAAA results
> preferred over tried before A results when both are available.

I do not remember which Squid version the OP is using, but most Happy
Eyeballs-related changes are only available starting with v5. Before v5
commit fd9c47d, Squid was indeed waiting for both A and AAAA answers if
both queries were sent, breaking use cases where one query answer was
badly delayed.

For v5+ users:

In practice, "when both are available" in Amos explanation means "when
both are found in Squid's DNS cache". In all other cases (i.e., none
found or just one family of addresses is found), Happy Eyeballs tries to
establish a TCP connection with the first available IP address (e.g.,
the first one to get resolved), regardless of that address family.

IIRC, if Squid has to send both A and AAAA queries to resolve a domain,
Squid always sends AAAA first, so there is some IPv6 bias in that case,
but there is no artificial delay between the two queries.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users